Threat Research

March 2026 Security Issues in the Korean & Global Financial Sector

Ahnlab
March 2026 Security Issues in the Korean & Global Financial Sector
Multiple malware campaigns in March 2026 targeted Korean and global financial institutions using phishing (Korean-language attachments, HTML/JS), web shells, droppers, backdoors, downloaders, infostealers, and CoinMiner to achieve compromise and persistence. Notable incidents included a Lazarus watering‑hole exploit of AnySign4PC causing RCE, Telegram API account compromises (~4% financial sector impact), large dark‑web breach claims (e.g., NR Capital), and ransomware/DDoS incidents with data leaks. #Lazarus #NRCapital

Keypoints

  • Multiple malware families—Web Shell, Phishing, Backdoor, Dropper, Downloader, Infostealer, and CoinMiner—were observed targeting the financial sector in March 2026.
  • Phishing campaigns frequently used Korean‑language attachment names and HTML/JS executable files as distribution funnels.
  • The Lazarus group exploited the AnySign4PC vulnerability in watering‑hole attacks to achieve remote code execution, and several watering‑hole sites were reused.
  • Account compromise campaigns leveraging the Telegram API were confirmed, with approximately 4% of compromised accounts tied to the financial sector.
  • Dark‑web and forum posts claimed large database breaches and sales (e.g., NR Capital ~2TB, Ameriprise 200GB, Nu Colombia 30k documents, Agrobanco 250k records).
  • Ransomware groups (Apt73, PayoutsKing, WorldLeaks, etc.) breached financial firms and posted data to DLS, increasing double‑extortion and large‑scale leakage risk.
  • Pro‑political DDoS attacks by hacktivists disrupted banking website availability and included claims of customer data breaches.

MITRE Techniques

  • [T1566 ] Phishing – Used Korean‑language attachments and executable HTML/JS files to deliver phishing and execute code [‘a large number of attachment names were identified in Korean, and HTML/JS executable files were frequently used as phishing funnels.’]
  • [T1189 ] Drive-by Compromise (Watering Hole) – Watering‑hole sites were used to host and distribute exploit content and were continuously reused [‘the AnySign4PC vulnerability was exploited in a watering hole attack by the Lazarus group, resulting in remote code execution, and multiple watering hole distribution sites were found to be continuously used.’]
  • [T1190 ] Exploit Public-Facing Application – The AnySign4PC vulnerability was exploited to achieve remote code execution on targeted systems [‘the AnySign4PC vulnerability was exploited in a watering hole attack by the Lazarus group, resulting in remote code execution…’]
  • [T1505 ] Web Shell – Web shells were deployed to maintain access on compromised servers and were among the top malware observed [‘The top 10 malware for the month included Web Shell…’]
  • [T1078 ] Valid Accounts – Attackers leveraged the Telegram API to compromise and access accounts, impacting financial sector users (~4%) [‘account compromise campaigns through the Telegram API were confirmed, with approximately 4% of the compromised accounts coming from the financial sector.’]
  • [T1041 ] Exfiltration – Stolen data was exfiltrated and posted to data leak sites (DLS) or offered for sale on dark‑web forums [‘some companies’ data was released to the DLS or was exfiltrated in full.’ ‘selling and claiming to disclose large databases…’]
  • [T1486 ] Data Encrypted for Impact (Ransomware) – Ransomware incidents involved encryption and double‑extortion tactics with data disclosure to DLS [‘a number of cases of ransomware groups … breaching the financial sector and disclosing DLS were confirmed, raising the risk of double extortion and large-scale data leakage.’]
  • [T1499 ] Network Denial of Service – Pro‑political DDoS attacks reduced the availability of banking websites and included claims of customer data breaches [‘pro-political DDoS attacks by hacktivists reduced the availability of some banking websites and claimed customer data breaches.’]

Indicators of Compromise

  • [MD5 ] Malware sample hashes observed – 04f1f6e2d8a0cfb58c9dab5546bbd13f, 3fc3962721c62a7352fb4230e36a6089, and 3 more hashes
  • [URL ] Watering‑hole / distribution sites and phishing pages – http[:]//www[.]kimeye[.]com/kimeye, https[:]//chonanrent[.]co[.]kr/include/menu0206[.]php?id=20260123015897, and 3 more URLs

Read more: https://asec.ahnlab.com/en/93421/